Issue #863 has been updated by Clément OUDOT.
Jeff G wrote:
> I think this is where CAS is causing an issue. CAS is controlling the PHP
> session. The reset token only works if the user maintains the current
> session. Once the CAS session is ended, the token that was generated will
> never
Issue #863 has been updated by Jeff G.
I think this is where CAS is causing an issue. CAS is controlling the PHP
session. The reset token only works if the user maintains the current session.
Once the CAS session is ended, the token that was generated will never work
again.
Issue #863 has been updated by Jeff G.
So, it looks like PHP sessions are used to keep a token alive, correct?
If I request a password reset token for another user at my computer and they
open the token link on a different computer, the token will show as invalid?
Issue #863 has been updated by Jeff G.
My original explanation of the issue is wrong. I may have figured out what's
happening, but still looking into a fix. If a user is not already authenticated
in CAS, they are redirected to login to CAS. I believe the token is consumed
during this page
Issue #863 has been updated by Jeff G.
I should ntoe that I'm using PHP CAS to protect pages, I don't know if this
would cause any issues. I'll try commenting these lines out and let you know
how it goes. Thanks.
Bug #863: Password Token Expiring
Issue #863 has been updated by Clément OUDOT.
Well this is weird.
You can try to disable the session garbage collector tuning in the code by
commenting following lines in pages/resetbytokens.php:
# Manage lifetime with sessions properties
//if (isset($token_lifetime)) {
//
Issue #863 has been updated by Clément OUDOT.
Category set to Self Service Password
Target version set to self-service-password-?
This is not normal. The code sets the max lifetime of sessions but should not
expires other sessions.
What value did you use in $token_lifetime?
